← Back to Tools

Security Cheat Sheets

Quick reference cards for security and privacy — print and keep handy

🔐
Password Rules
Creating and managing secure passwords
DO
  • Use 20+ characters for important accounts
  • Unique password for every account
  • Use a password manager (Bitwarden, KeePassXC)
  • Mix case, numbers, and symbols
  • Passphrases: 4+ random words work great
DON'T
  • Reuse passwords — ever
  • Personal info: name, birthday, pet name
  • Keyboard patterns: qwerty, 123456
  • Leet speak: P@ssw0rd is NOT secure
  • Share passwords via email or chat
🎣
Phishing Red Flags
Email, SMS, and phone scam indicators
  • Sender domain ≠ company domain
  • URGENT / Account suspended / Act now
  • Link URL doesn't match display text
  • Generic greeting: "Dear Customer"
  • Unexpected attachments (.exe, .zip, .docm)
  • Requesting credentials, SSN, or payment
  • Caller asks for OTP / 2FA codes
  • Hover links before clicking
  • Verify via known phone/website — not from email
  • Report suspicious emails to IT
🚨
Incident Response
What to do when you've been hacked
ACCOUNT COMPROMISED
  • 1.Change password immediately from a clean device
  • 2.Enable 2FA if not already on
  • 3.Review and revoke active sessions
  • 4.Check for forwarding rules (email accounts)
  • 5.Notify contacts if messages sent in your name
MALWARE / RANSOMWARE
  • 1.Disconnect from network immediately
  • 2.Do NOT pay — no guarantee of recovery
  • 3.Restore from clean backup
  • 4.Report: FBI IC3 (US), NCSC (UK)
📱
2FA / MFA Reference
Multi-factor authentication methods ranked
  • 🥇Hardware key (YubiKey, Passkey) — phishing-proof
  • 🥈TOTP app (Aegis, Authy, Google Auth)
  • 🥉Email code — use only if no better option
  • SMS — vulnerable to SIM-swap attacks
PRIORITY ACCOUNTS FOR 2FA
  • Email (controls password resets for everything)
  • Banking and financial accounts
  • Password manager
  • Social media
  • Cloud storage (Google Drive, iCloud, Dropbox)
🌐
Browser Hardening
Quick settings to improve browser privacy
  • Install uBlock Origin (blocks ads + trackers)
  • Enable HTTPS-only mode (all modern browsers)
  • Block third-party cookies (Settings → Privacy)
  • Disable browser password saving (use manager instead)
  • Review and remove unused extensions
  • Set DNS over HTTPS in browser settings
  • Ignore certificate errors — never click "Advanced → Proceed"
  • Assume Incognito = anonymous (it's not)
💾
Backup Strategy (3-2-1)
Protect against ransomware and hardware failure
  • 33 copies of your data total
  • 22 different media (e.g. internal + external drive)
  • 11 offsite copy (cloud or physical remote location)
CRITICAL RULES
  • Keep one backup offline (air-gapped from ransomware)
  • Test restores regularly — backups you can't restore are worthless
  • Automate backups — manual backups get forgotten
  • Encrypt backups stored in cloud or sent offsite
  • Backup: photos, documents, code, passwords export
📋
HTTP Security Headers
Essential headers for web developers
  • Content-Security-Policy — prevents XSS
    default-src 'self'
  • Strict-Transport-Security — forces HTTPS
    max-age=31536000; includeSubDomains
  • X-Frame-Options — prevents clickjacking
    DENY
  • X-Content-Type-Options — prevents MIME sniffing
    nosniff
  • Referrer-Policy
    strict-origin-when-cross-origin
  • Permissions-Policy — restrict browser features
🛡️
Privacy Quick Wins
Do these first — max impact, min effort
  • 1Install uBlock Origin browser extension
  • 2Set up Bitwarden password manager
  • 3Enable 2FA on email and bank (TOTP app)
  • 4Use Signal for messaging
  • 5Change DNS to 1.1.1.1 or NextDNS
  • 6Opt out of ad tracking on phone
  • 7Review app permissions (location, mic, camera)
  • 8Enable full-disk encryption on all devices